Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Choosing a Security Consultant? Beware

In last month's column, I discussed some of the factors to consider in deciding whether to have a penetration test done for your organization.

In last months column, I discussed some of the factors to consider in deciding whether to have a penetration test done for your organization. But how should you go about deciding who to hire and—perhaps more importantly—who to avoid? First, a good security consultant should be able to provide a complete explanation of the penetration testing process and methodology that will be used and a general road map of what a penetration test looks like. The consultant should be able to talk at length about what scripts or software it will use and what its level of experience is with those tools.

The consultant should also be able and willing to scope the testing processes in great detail for you. For example, make sure your potential consultant will discuss which, if any, systems will be off-limits for all or part of the exercise and what hours should be excluded from the effort. Are DoS (denial-of-service) attacks to be part of the engagement, and do you want social engineering attempts involved? Do you want the vendor to dial your phone number blocks in search of modems (war dialing)? Talk to them about whether you want them to actually remove data from your systems if an intrusion attempt is successful or simply note the ability to do so.

In addition, assuming the test results in a breach, do you want the faux intruders to leave back doors on your systems, and do you want them to cover their tracks well (by modifying log files) or intentionally leave clues lying around?

Finally, keep shopping for a vendor if the one youre talking to will not put its staffing policy in writing—particularly if it wont say whether it hires black-hat hackers. In addition, back off if its unwilling to sign nondisclosure agreements. Other bad signs include a reluctance to assign a 24-by-7 contact during the entire engagement or the urging of DoS attacks without extreme caveats.

Further reading

Show these folks the door if they wont provide or dont have customer references or if they are willing to speak specifically about work done for other named clients. Finally, its entirely reasonable to ask in advance for a sanitized copy of what your deliverable will look like. Be suspicious if you cant get one. And, always, be careful out there.